This year's start of spring was further darkened when tax filers learned that the Internal Revenue Service (IRS), which seems never to have had a sound cybersecurity record anyway, is still far from adequately protecting citizens' critical personal data.
According to reports, not only does the agency still have two-thirds of previously identified weaknesses — such as those we heard about last year surrounding network and file access controls, event logging and monitoring and physical controls — they also recently have had portable device exposures. Reportedly, between January 2003 and June 2006, some 500 IRS laptops were lost or stolen. IRS officials don't have definitive info on what data was stored on these, but they did reportedly say that of some 100 laptops currently used, 44 had on them unencrypted, sensitive taxpayer and employee details.
They say they've made some progress in auditing and monitoring and password controls, but still need to address those persistent access control issues, segregation of duties and implementation of an agency-wide security program required by the Federal Information Security Management Act (FISMA).
Agencies are slow-moving beasts. Too, they often have to fight other government priorities for budget, so frequently face a lack of it.
Despite these issues, taxpayers have to wonder why the very organization they fear to get audited by, along with the administrative and congressional branches of our government, aren't better prioritizing and appropriately budgeting for the execution of the Government Accountability Office's recommendations to strengthen protection of private data that agencies like the IRS store. Sure, federal budgets are strained, but failure to better the security measures around such fundamental proprietary data is unacceptable and sadly ironic — especially in light of continued data breach incidents like the TJX Co. exposure.
Cybersecurity, even alongside what is bound to be a protracted war, must be given more attention and money by the government. The very agency that is so diligent in ensuring we pay our taxes, and that houses our personal data, in the least, must take steps to protect us.
If not, then death and taxes aren't the only sure things in life. Exposure of my details via shoddy IRS security mechanisms are too.
- Illena Armstrong is SC Magazine's U.S. editor-in-chief.